Editing the MountedDevices Registry Key

Persistant drive letter allocations are contained in the HKLM\SYSTEM\MountedDevices registry key. This key should be edited or deleted if booting Windows XP from a RAM disk, otherwise the drive which Windows was originally installed on will be mounted as C:, and the Windows XP booted from the disk image will be allocated the first available drive letter. Although having the system drive mounted as a letter other than C: is not necessarily a problem, any installed programs with hard coded paths (e.g. a desktop shortcut) could access applications on the original Windows XP install (not the XP running from the disk image). By manually editing this key it is possible to exercise some control over mount points.

Each partition/device allocated a drive letter in windows will have two entries (Values) in the HKLM\SYSTEM\MountedDevices key

Both of the above Values will contain the same data - a 12 byte binary entry. The first four bytes contain the disk signature of the disk containing the partition, the other eight bytes represent the partition offset. Using the example f6 b2 f6 b2 00 7e 00 00 00 00 00 00 - the disk signature corresponds to the binary value f6 b2 f6 b2 and the partition offset is 00 7e 00 00 00 00 00 00 (which in this case equals sector 63).

If the MountedDevices key is deleted then new drive letters will be assigned during the boot process. It is also possible to edit the key to change the drive letter allocated to a disk. When editing the key it is safe to delete all of the \??\Volume{guid} entries as Windows booted from a RAM disk will assign a new {guid} value.

The examples below were tested on a system with one hard disk containing two primary partitions - (hd0,0) and (hd0,1). The Windows installation copied to the disk image was installed on (hd0,1). When the windows installation on (hd0,1) was booted -

(hd0,0) was mounted as drive D:

(hd0,1) was mounted as drive C:

A DVD-RW drive (device (cd0)) installed on the system was mounted as drive E:

The HKLM\SYSTEM\MountedDevices key contained the following entries -

Device

Value

Data

(hd0,0)

\DosDevices\D:

70 16 3e 06 00 7e 00 00 00 00 00 00

(hd0,1)

\DosDevices\C:

70 16 3e 06 00 88 17 60 00 00 00 00

(cd0)

\DosDevices\E:

5c 00 3f 00 3f 00 5c 00 49 00 44 00..

Example 1

No changes were made to the system registry hive in the disk image. When Windows was booted from the disk image (device (rd0) in the table below) the system drive was mounted as drive F: (the first available drive letter - C:, D: and E: were already allocated) -

Device

Value

Data

(hd0,0)

\DosDevices\D:

70 16 3e 06 00 7e 00 00 00 00 00 00

(hd0,1)

\DosDevices\C:

70 16 3e 06 00 88 17 60 00 00 00 00

(cd0)

\DosDevices\E:

5c 00 3f 00 3f 00 5c 00 49 00 44 00..

(rd0)

\DosDevices\F:

80 00 00 00 00 7e 00 00 00 00 00 00

Example 2

The following example assumes that Windows was already copied to a disk image and the disk image had been mounted as drive R: (via ImDisk) -

The registry hive R:\Windows\System32\config\SYSTEM was mounted as HKLM\firadisk by entering the following command at a command prompt - reg load HKLM\firadisk R:\windows\system32\config\system

Deleted all values in the HKLM\firadisk\MountedDevices key

Unmounted the HKLM\firadisk hive (R:\Windows\System32\config\SYSTEM) by entering the following command at a command prompt -reg unload HKLM\firadisk

When Windows was booted from the disk image (device (rd0) in the table below) the system drive was mounted as drive C:, the other devices were mounted as follows -

Device

Value

Data

(hd0,0)

\DosDevices\D:

70 16 3e 06 00 7e 00 00 00 00 00 00

(hd0,1)

\DosDevices\E:

70 16 3e 06 00 88 17 60 00 00 00 00

(cd0)

\DosDevices\F:

5c 00 3f 00 3f 00 5c 00 49 00 44 00..

(rd0)

\DosDevices\C:

80 00 00 00 00 7e 00 00 00 00 00 00

Example 3

The following example assumes that Windows was already copied to a disk image and the disk image had been mounted as drive R: (via ImDisk) -

The registry hive R:\Windows\System32\config\SYSTEM was mounted as HKLM\firadisk by entering the following command at a command prompt - reg load HKLM\firadisk R:\windows\system32\config\system

Deleted all values in the HKLM\firadisk\MountedDevices except \DosDevices\C:

Edited \DosDevices\C: value by right-clicking on it and selecting Rename, then renamed as \DosDevices\Z:

Unmounted the HKLM\firadisk hive (R:\Windows\System32\config\SYSTEM) by entering the following command at a command prompt -reg unload HKLM\firadisk

When Windows was booted from the disk image (device (rd0) in the table below) the system drive was mounted as drive C:, the other devices were mounted as follows (note that device (hd0,1) retained the Z: letter manually assigned to it) -